Do Giant GDPR Fines Apply to Data Breaches that Occurred Before May 25?
Although there is as yet no clear-cut answer from the EU, it seems that yes, they do.
By Morten Boel Sigurdsson, CEO, Omada | June 2018
Can authorities issue giant GDPR fines related to data breaches that occurred before May 25 but were discovered after May 25?
Although there is as yet no clear-cut answer from the EU, it seems that yes, they can.
A European Commission official recently stated that data breaches that happened before 25th May, but kept undisclosed, would also be liable for GDPR fines, citing among others the fact that the deadline has been public for well over a year (in fact since April 14 2016, when the legislation was approved by the EU). The first test case to emerge is in the UK.
In mid-June, it emerged that UK firm Dixons Carphone suffered a data breach comprising 5.9 million customer cards and 1.2 million personal records. The colossal breach is the largest in UK history and although it happened before the GDPR official start date of May 25, the UK’s Information Commissioner’s Office has announced that it is investigating whether the data breach should be treated under GDPR regulation. This would mean a fine of up to Euro 20 million or 4% of the annual turnover, whichever is greater – in this case a potential fine of a staggering £400 million.
The difference between whether the data breach is fined under the previous or the new legislation is significant – under the UK Data Protection Act 1998, non-compliant organizations could face fines of up to £500,000, whereas the GDPR’s Euro 20 million or 4% of the annual turnover is somewhat higher. Whatever the organization is fined by, the reputational damage is already significant.
While this case is already being called potentially the first of the GDPR mega-fines, the news has rocked the UK, not least of all Dixons Carphone, where shares have unsurprisingly already plummeted.
The GDPR is one of the most talked about legislations in recent time, changing the culture of data handling and giving power back to the citizens. The cases that are emerging illustrate that non-compliance and lack of data control can have dramatic consequences not only for affected citizens but for the organizations involved.
The legislation is not crystal clear, and it will be interesting to see how the different local regulators will interpret the legislation and fine those who have been non-compliant going forward.
However, one thing is clear. Compliance has for all organizations in the GDPR era become a licence to operate.